Context Navigation

source: libabac/abac.hh @ 0b3ac65

mei_rt2mei_rt2_fix_1

Last change on this file since 0b3ac65 was 0b3ac65, checked in by Mei <mei@…>, 12 years ago
1) add some inlined api doc into abac.hh
Property mode set to `100644`
File size: 32.9 KB

Line
1	#ifndef __ABAC_HH__
2	#define __ABAC_HH__
3
4	#include <string>
5	#include <vector>
6
7	namespace ABAC {
8	extern "C" {
9	#include "abac.h"
10	}
11	static int debug=0;
12	class Role;
13	class Oset;
14	/***
15	ABAC::Constraint
16	This is a constraint on a data term. It holds a ptr to
17	a abac_condition_t structure
18	***/
19	class Constraint {
20	public:
21	/***
22	Constraint()
23	default constructure, do not use, for swig only
24	Constraint(const Constraint &)
25	copy constructor, used for cloning a constraint
26	~Constraint()
27	default destructor
28	***/
29	Constraint() : m_constraint(NULL) { }
30	Constraint(const Constraint &constraint) {
31	m_constraint =abac_condition_dup(constraint.m_constraint);
32	}
33	~Constraint() {
34	if(m_constraint) abac_condition_free(m_constraint);
35	}
36	/***
37	Constraint(Role &)
38	constructor that takes a constraining role
39	[role:?R[{role-constraint}]
40	Constraint(Oset &)
41	constructor that takes a constraining oset
42	[oset:?O[{oset-constraint}]
43	[urn:?F[keyid:$alpha_keyid].oset:documents([string:?P])]
44	Constraint(abac_condition_t *)
45	constructor that takes a abac_condition_t structure
46	Constraint(char *)
47	constructor that takes one of following string
48	as its vartype to set up a range constraint:
49	"integer"
50	"urn"
51	"float"
52	"boolean"
53	"time"
54	"string"
55	It should be followed with one or many of following utility
56	calls.
57	***/
58	Constraint(Role& role);
59	Constraint(Oset& oset);
60	Constraint(abac_condition_t *constraint):
61	m_constraint(abac_condition_dup(constraint))
62	{ }
63	Constraint(char *vartype) {
64	m_constraint=abac_condition_create(vartype);
65	}
66	/***
67	void add_constraint_integer_max(int)
68	void add_constraint_integer_min(int)
69	utility routines to setup a integer range constraint
70	[integer:?I[10 .. 20]]
71	void add_constraint_integer_target(int)
72	utility routine to setup a integer list constraint
73	[integer:?I[10,20]]
74	***/
75	void add_constraint_integer_max(int val) {
76	abac_condition_add_range_integer_item(m_constraint,abac_max_item_type(),val);
77	}
78	void add_constraint_integer_min(int val) {
79	abac_condition_add_range_integer_item(m_constraint,abac_min_item_type(),val);
80	}
81	void add_constraint_integer_target(int val) {
82	abac_condition_add_range_integer_item(m_constraint,abac_target_item_type(),val);
83	}
84	/***
85	void add_constraint_float_max(float)
86	void add_constraint_float_min(float)
87	utility routines to setup a float range constraint
88	[float:?F[1.0 .. 2.5]]
89	void add_constraint_float_target(float)
90	utility routine to setup a float list constraint
91	[float:?F[0.5, 2.5]]
92	***/
93	void add_constraint_float_max(float val) {
94	abac_condition_add_range_float_item(m_constraint,abac_max_item_type(),val);
95	}
96	void add_constraint_float_min(float val) {
97	abac_condition_add_range_float_item(m_constraint,abac_min_item_type(),val);
98	}
99	void add_constraint_float_target(float val) {
100	abac_condition_add_range_float_item(m_constraint,abac_target_item_type(),val);
101	}
102	/***
103	void add_constraint_time_max(char*)
104	void add_constraint_time_min(char*)
105	utility routines to setup a time range constraint,
106	takes quoted string values, beyond T is optional
107	[time:?M["20201101T182930"]]
108	[time:?M["20201101T"]]
109	void add_constraint_time_target(char*)
110	utility routine to setup a time list constraint
111	[time:?F["20120228T080000" .. "20120228T090000"]]
112	***/
113	void add_constraint_time_max(char* val) {
114	abac_condition_add_range_time_item(m_constraint,abac_max_item_type(),val);
115	}
116	void add_constraint_time_min(char* val) {
117	abac_condition_add_range_time_item(m_constraint,abac_min_item_type(),val);
118	}
119	void add_constraint_time_target(char* val) {
120	abac_condition_add_range_time_item(m_constraint,abac_target_item_type(),val);
121	}
122	/***
123	void add_constraint_urn_target(char*)
124	utility routine to setup a an urn list constraint
125	[urn:?U["fileA","http://fileB"]]
126	void add_constraint_string_target(char*)
127	utility routine to setup a a string list constraint
128	[string:?S["abc",'efg',"hij"]]
129	void add_constraint_boolean_target(char*)
130	utility routine to setup a a boolean list constraint
131	[boolean:?B['true']]
132	***/
133	void add_constraint_urn_target(char* val)
134	{ abac_condition_add_range_urn_item(m_constraint,val); }
135	void add_constraint_string_target(char* val)
136	{ abac_condition_add_range_string_item(m_constraint,val); }
137	void add_constraint_boolean_target(char* val)
138	{ abac_condition_add_range_boolean_item(m_constraint,val); }
139	/***
140	char *string() const
141	returns literal string of the constraint
142	char *typed_string() const
143	returns typed literal string of the constraint
144	***/
145	char *string() const
146	{ return abac_condition_string(m_constraint); }
147	char *typed_string() const
148	{ return abac_condition_typed_string(m_constraint); }
149	/***
150	abac_condition_t *constraint()
151	returns internal constraint structure
152	***/
153	abac_condition_t *constraint()
154	{ return m_constraint; }
155	private:
156	abac_condition_t *m_constraint;
157	};
158
159	/***
160	ABAC::DataTerm
161	A data term is associated with Role and Oset as a parameter that
162	maybe be instantiated or uninstantiated but being constrained,
163	or as a principal oset term (standalone right handside of an oset
164	policy rule). It holds a pointer to a abac_term_t structure and
165	an optional constraint that may be imposed on this data term if it
166	is indeed an unistantiated variable.
167	***/
168	class DataTerm {
169	public:
170	/***
171	DataTerm()
172	default constructure, do not use, for swig only
173	DataTerm(const DataTerm &)
174	copy constructor, used for cloning a data term
175	~DataTerm()
176	default destructor
177	***/
178	DataTerm() : m_term(NULL) { } // do not use: here for swig
179	DataTerm(const DataTerm &dterm) {
180	m_term =abac_term_dup(dterm.m_term);
181	abac_condition_t *constraint=abac_term_constraint(m_term);
182	if(constraint) m_cond=new Constraint(constraint);
183	else m_cond=NULL;
184	}
185	~DataTerm() {
186	if(m_term) abac_term_free(m_term);
187	if(m_cond) free(m_cond);
188	}
189	/*** ???
190	DataTerm(abac_term_t *)
191	constructor to make data term from abac_term_t structure
192	***/
193	DataTerm(abac_term_t *term) {
194	m_term=abac_term_dup(term);
195	abac_condition_t *constraint=abac_term_constraint(m_term);
196	if(constraint) m_cond=new Constraint(constraint);
197	else m_cond=NULL;
198	}
199	/***
200	DataTerm(char*)
201	constructor to make named principal data term for the oset RHS
202	DataTerm(char, char, Constraint*)
203	constructor for making a variable data term or an instantiated
204	data term
205	***/
206	DataTerm(char *sha) {
207	if(debug) printf("adding a Dataterm named principal(%s)\n",sha);
208	int isnamed=1;
209	int type=e_TERM_PRINCIPAL;
210	m_term=abac_term_named_create(type,sha);
211	}
212	DataTerm(char* typenm, char name, Constraint cond=NULL) {
213	int type=abac_verify_term_type(typenm);
214	if(debug) printf("adding a Dataterm (%s)\n",name);
215	if(type==ABAC_TERM_FAIL)
216	abac_errx(1, "DataTerm, fail to create the term");
217	if(cond) {
218	m_cond=cond;
219	m_term=abac_term_create(type,name,cond->constraint());
220	} else {
221	m_cond=NULL;
222	m_term=abac_term_create(type,name,NULL);
223	}
224	}
225	/***
226	char *string() const
227	returns literal string of the data term
228	char *typed_string() const
229	returns typed literal string of the data term
230	***/
231	char *string() const
232	{ return abac_term_string(m_term); }
233	char *typed_string() const
234	{ return abac_term_typed_string(m_term); }
235	/***
236	bool is_time() const
237	bool is_string() const
238	bool is_urn() const
239	bool is_integer() const
240	returns true if data term is of certain type
241	***/
242	bool is_time() const
243	{ return abac_term_is_time_type(m_term); }
244	bool is_string() const
245	{ return abac_term_is_string_type(m_term); }
246	bool is_urn() const
247	{ return abac_term_is_urn_type(m_term); }
248	bool is_integer() const
249	{ return abac_term_is_integer_type(m_term); }
250	/***
251	int add_constraint(const Contraint&)
252	Utiltiy routine to add a constraint to this data term
253	***/
254	int add_constraint(const Constraint& cond) {
255	m_cond=new Constraint(cond);
256	abac_term_add_constraint(m_term, m_cond->constraint());
257	}
258	/***
259	int type() const
260	returns subtype of the data term
261	char *name() const
262	returns the name of the data term
263	***/
264	int type() const
265	{ abac_term_type(m_term); }
266	char *name() const
267	{ return abac_term_name(m_term); }
268	/*** ??? value
269	char *value() const
270	Not implemented
271	***/
272	char *value() const { }
273	/***
274	abac_term_t *term()
275	returns internal data term structure
276	Constraint *constraint()
277	returns internal constraint structure to the data term
278	***/
279	abac_term_t *term()
280	{ return m_term; }
281	Constraint *constraint()
282	{ return m_cond; }
283	private:
284	abac_term_t *m_term;
285	Constraint *m_cond;
286	};
287
288
289	class Role {
290	public:
291	Role() : m_role(NULL) { } // do not use: here for swig
292	Role(abac_aspect_t *role): m_role(abac_aspect_dup(role))
293	{ }
294	Role(char *principal_name) :
295	m_role(abac_aspect_role_principal_create(principal_name))
296	{ }
297	Role(char principal_name, char role_name) :
298	m_role(abac_aspect_role_create(principal_name, role_name))
299	{ }
300	Role(const Role &role) {
301	m_role = abac_aspect_dup(role.m_role);
302	}
303	~Role() {
304	if (m_role) abac_aspect_free(m_role);
305	}
306	bool is_principal() const {
307	return abac_aspect_is_principal(m_role);
308	}
309	bool is_linking() const {
310	return abac_aspect_is_linking(m_role);
311	}
312	char *string() const {
313	return abac_aspect_string(m_role);
314	}
315	char *typed_string() {
316	char* string=abac_aspect_typed_string(m_role);
317	return string;
318	}
319	char *linked_role() const {
320	return abac_aspect_linked_role_name(m_role);
321	}
322	char *role_name() const {
323	return abac_aspect_aspect_name(m_role);
324	}
325	char *principal() const {
326	return abac_aspect_principal_name(m_role);
327	}
328	/* Add a data term to this name. */
329	int add_data_term(DataTerm& d) {
330	abac_aspect_add_param(m_role, d.term());
331	return 1;
332	}
333	/* Return the DataTerms bound to this name. If the name is returned
334	in a proof, these will all have values. */
335	std::vector<DataTerm> get_data_terms(bool &success) {
336	abac_term_t terms, end;
337	int i;
338	terms = abac_param_list_vectorize(abac_aspect_aspect_params(m_role));
339	for (i = 0; terms[i] != NULL; ++i)
340	;
341	end = &terms[i];
342	std::vector<DataTerm> dataterms = std::vector<DataTerm>(terms, end);
343	abac_terms_free(terms);
344	success=1;
345	return dataterms;
346	}
347	int add_linking_data_term(DataTerm& d) {
348	abac_aspect_add_linked_param(m_role, d.term());
349	return 1;
350	}
351	std::vector<DataTerm> get_linked_data_terms(bool &success) {
352	abac_term_t terms, end;
353	int i;
354	terms = abac_param_list_vectorize(abac_aspect_linked_role_params(m_role));
355	for (i = 0; terms[i] != NULL; ++i)
356	;
357	end = &terms[i];
358	std::vector<DataTerm> dataterms = std::vector<DataTerm>(terms, end);
359	abac_terms_free(terms);
360	success=1;
361	return dataterms;
362	}
363	abac_aspect_t *role() {return m_role;}
364	private:
365	abac_aspect_t *m_role;
366	};
367
368	class Oset {
369	public:
370	Oset() : m_oset(NULL) { } // do not use: here for swig
371	Oset(abac_aspect_t *oset): m_oset(abac_aspect_dup(oset))
372	{ }
373	Oset(char *oset_name) : m_oset(abac_aspect_oset_principal_create(oset_name))
374	{ }
375	Oset(char principal_name, char oset_name) :
376	m_oset(abac_aspect_oset_create(principal_name, oset_name))
377	{ }
378	Oset(DataTerm& d) :
379	m_oset(abac_aspect_oset_object_create(d.term()))
380	{ }
381	Oset(const Oset &oset) {
382	m_oset =abac_aspect_dup(oset.m_oset);
383	}
384	~Oset() {
385	if(m_oset) abac_aspect_free(m_oset);
386	}
387	bool is_object() const {
388	return abac_aspect_is_object(m_oset);
389	}
390	bool is_principal() const {
391	return abac_aspect_is_principal(m_oset);
392	}
393	bool is_linking() const {
394	return abac_aspect_is_linking(m_oset);
395	}
396	char *string() const {
397	return abac_aspect_string(m_oset);
398	}
399	char *typed_string() {
400	char* string=abac_aspect_typed_string(m_oset);
401	return string;
402	}
403	char *linked_role() const {
404	return abac_aspect_linked_role_name(m_oset);
405	}
406	char *oset_name() const {
407	return abac_aspect_aspect_name(m_oset);
408	}
409	char *principal() const {
410	return abac_aspect_principal_name(m_oset);
411	}
412	char *object() const {
413	return abac_aspect_object_name(m_oset);
414	}
415	/* Add a data term to this name. */
416	int add_data_term(DataTerm& d) {
417	abac_aspect_add_param(m_oset, d.term());
418	return 1;
419	}
420	/* Return the DataTerms bound to this name. If the name is returned
421	in a proof, these will all have values. */
422	std::vector<DataTerm> get_data_terms(bool &success) {
423	abac_term_t terms, end;
424	int i;
425	terms = abac_param_list_vectorize(abac_aspect_aspect_params(m_oset));
426	for (i = 0; terms[i] != NULL; ++i)
427	;
428	end = &terms[i];
429	std::vector<DataTerm> dataterms = std::vector<DataTerm>(terms, end);
430	abac_terms_free(terms);
431	success=1;
432	return dataterms;
433	}
434	int add_linking_data_term(DataTerm& d) {
435	abac_aspect_add_linked_param(m_oset, d.term());
436	return 1;
437	}
438	std::vector<DataTerm> get_linked_data_terms(bool &success) {
439	abac_term_t terms, end;
440	int i;
441	terms = abac_param_list_vectorize(abac_aspect_linked_role_params(m_oset));
442	for (i = 0; terms[i] != NULL; ++i)
443	;
444	end = &terms[i];
445	std::vector<DataTerm> dataterms = std::vector<DataTerm>(terms, end);
446	abac_terms_free(terms);
447	success=1;
448	return dataterms;
449	}
450	abac_aspect_t *oset() {return m_oset;}
451	private:
452	abac_aspect_t *m_oset;
453	};
454
455
456	class ID {
457	public:
458	ID() : m_id(NULL) { } // do not use: here for swig
459	ID(abac_id_t *id): m_id(abac_id_dup(id))
460	{ }
461	ID(abac_id_credential_t *idcred) {
462	if(idcred)
463	m_id=abac_id_dup(abac_id_credential_id(idcred));
464	else m_id=NULL;
465	}
466	ID(const ID &id) { m_id =abac_id_dup(id.m_id); }
467	~ID() { if(m_id) abac_id_free(m_id); }
468
469	/* load an ID cert from a file
470	Will throw an exception if the cert cannot be loaded */
471	ID(char *filename) {
472	m_id=abac_id_from_file(filename);
473	if(m_id==NULL)
474	abac_errx(1, "Id creation from filename failed");
475	}
476	/* generates a new ID with the supplied CN and validity period
477	- CN must be alphanumeric and begin with a letter
478	- validity must be at least one second
479	Will throw an exception if either of the above is violated */
480	ID(char *cn, int validity) {
481	int rt=abac_id_generate(&m_id, cn, validity);
482	if(rt != ABAC_ID_SUCCESS)
483	abac_errx(1, "Id creation failed");
484	}
485	/* loads the private key associated with the cert
486	will throw an exception if the key cannot be loaded */
487	void load_privkey(char *filename) {
488	int rt=abac_id_load_privkey_file(m_id, filename);
489	if(rt != 1)
490	abac_errx(1, "Failed to load private key");
491	}
492	abac_id_t *id() { return m_id; }
493
494	/* returns the SHA1 keyid of the cert */
495	char *keyid() { return abac_id_keyid(m_id); }
496	/* returns the CN */
497	char *name() { return abac_id_cn(m_id); }
498	/* returns true if the ID has an associated private key */
499	bool has_privkey() {
500	return abac_id_has_privkey(m_id);
501	}
502	/* writes a PEM-encoded cert to the file handle */
503	void write_cert(FILE *out) {
504	abac_id_write_cert(m_id, out);
505	}
506	/* writes a PEM-encoded cert to a file named out */
507	void write_cert(char *filename) {
508	FILE *out = fopen(filename, "a");
509	write_cert(out);
510	fclose(out);
511	}
512	/* writes a PEM-encoded private key to the file handle
513	throws an exception if no private key is loaded */
514	void write_privkey(FILE *out) {
515	if(!has_privkey())
516	abac_errx(1, "No privkey to write");
517	abac_id_write_privkey(m_id, out);
518	}
519	/* writes a PEM-encoded private key a file named out
520	throws an exception if no private key is loaded */
521	void write_privkey(char *filename) {
522	FILE *out = fopen(filename, "a");
523	write_privkey(out);
524	fclose(out);
525	}
526	/* returns a DER-encoded binary representation of the X.509 ID cert
527	associated with this ID.
528	can be passed to libabac's Context::load_id_chunk() */
529	abac_chunk_t cert_chunk() {
530	return abac_id_cert_chunk(m_id);
531	}
532	char *string() {
533	char *tmp=NULL;
534	if(has_privkey())
535	asprintf(&tmp,"(%s,%s,y)",abac_id_name(m_id),abac_id_idtype_string(m_id));
536	else asprintf(&tmp,"(%s,%s,n)",abac_id_name(m_id),abac_id_idtype_string(m_id));
537	return tmp;
538	}
539	public:
540	abac_id_t *m_id;
541	};
542
543
544	/* N.B., The way you use this class is by instantiating the object, adding
545	subjects to it, and then baking it. Only once it's baked can you access the
546	X.509 cert. Once it's been baked you can no longer add subjects to it. */
547	class Attribute {
548	public:
549	Attribute() : m_attr(NULL) { } // do not use: here for swig
550	Attribute(abac_attribute_t *attr): m_attr(abac_attribute_dup(attr))
551	{ }
552	Attribute(abac_credential_t *cred) {
553	m_attr=abac_attribute_dup(abac_credential_attribute(cred));
554	}
555	Attribute(const Attribute &id) {
556	m_attr =abac_attribute_dup(id.m_attr);
557	}
558	~Attribute() {
559	if(m_attr) abac_attribute_free(m_attr);
560	}
561	/* Create an object to be signed by the given issuer with the given role
562	and validity period
563	An exception will be thrown if:
564	- the issuer has no private key
565	- the Head is invalid
566	- the validity period is invalid (must be >= 1 second) */
567	Attribute(Role& head, int validity) {
568	int rt=abac_attribute_create(&m_attr, head.role(), NULL, validity);
569	if(rt!=ABAC_ATTRIBUTE_SUCCESS)
570	abac_errx(1, "attribute(role), unable to make an attribute");
571	}
572	Attribute(Oset& head, int validity) {
573	int rt=abac_attribute_create(&m_attr, head.oset(), NULL, validity);
574	if(rt!=ABAC_ATTRIBUTE_SUCCESS)
575	abac_errx(1, "attribute(oset), unable to make an attribute");
576	}
577	bool add_tail(Role& tail) {
578	if(abac_attribute_add_tail(m_attr, tail.role()))
579	return 1;
580	else return 0;
581	}
582	bool add_tail(Oset& tail) {
583	if(abac_attribute_add_tail(m_attr, tail.oset()))
584	return 1;
585	else return 0;
586	}
587	char *head_string() {
588	abac_aspect_t *head=abac_attribute_head(m_attr);
589	char *string=abac_aspect_string(head);
590	return string;
591	}
592	char *tail_string() {
593	abac_aspect_t *tail=abac_attribute_tail(m_attr);
594	char *string=abac_aspect_string(tail);
595	return string;
596	}
597	char *head_typed_string() {
598	abac_aspect_t *head=abac_attribute_head(m_attr);
599	char *string=abac_aspect_typed_string(head);
600	return string;
601	}
602	char *tail_typed_string() {
603	abac_aspect_t *tail=abac_attribute_tail(m_attr);
604	char *string=abac_aspect_typed_string(tail);
605	return string;
606	}
607	char *string() {
608	char *head=head_string();
609	char *tail=tail_string();
610	if(head==NULL \|\| tail==NULL)
611	abac_errx(1, "attribute string, head and tail can not be NULL");
612	char *tmp=NULL;
613	asprintf(&tmp,"%s<-%s",head,tail);
614	return tmp;
615	}
616	char *typed_string() {
617	char *head=head_typed_string();
618	char *tail=tail_typed_string();
619	if(head==NULL \|\| tail==NULL)
620	abac_errx(1, "attribute string, head and tail can not be NULL");
621	char *tmp=NULL;
622	asprintf(&tmp,"%s<-%s",head,tail);
623	return tmp;
624	}
625	const Role &role_head() {
626	abac_aspect_t *head=abac_attribute_head(m_attr);
627	static Role role=Role(head);
628	return role;
629	}
630	const Oset &oset_head() {
631	abac_aspect_t *head=abac_attribute_tail(m_attr);
632	static Oset oset=Oset(head);
633	return oset;
634	}
635	std::vector<Role> role_tails(bool &success) {
636	abac_aspect_t tails, end;
637	int i;
638	tails = abac_attribute_tail_vectorized(m_attr);
639	for (i = 0; tails[i] != NULL; ++i)
640	;
641	end = &tails[i];
642	std::vector<Role> roles = std::vector<Role>(tails, end);
643	abac_aspects_free(tails);
644	success=1;
645	return roles;
646	}
647	std::vector<Oset> oset_tails(bool &success) {
648	abac_aspect_t tails, end;
649	int i;
650	tails = abac_attribute_tail_vectorized(m_attr);
651	for (i = 0; tails[i] != NULL; ++i)
652	;
653	end = &tails[i];
654	std::vector<Oset> osets = std::vector<Oset>(tails, end);
655	success=1;
656	abac_aspects_free(tails);
657	return osets;
658	}
659	abac_attribute_t *attribute() { return m_attr; }
660
661	/* Generate the cert. Call this after you've added subjects to your cert.
662	This returns false if there are no subjects
663	This will throw an exception if the cert's already been baked. */
664	bool bake() {
665	/* can not bake in ABAC_CN mode */
666	if(USE("ABAC_CN"))
667	abac_errx(1, "bake, can not bake the cert with env(ABAC_CN) set");
668	int rt=abac_attribute_bake(m_attr);
669	if(rt!=1)
670	abac_errx(1, "bake, can not bake the cert");
671	}
672	/* Returns true iff the cert has been baked. */
673	bool baked() {
674	return abac_attribute_baked(m_attr);
675	}
676	/* Write the DER-encoded X.509 attribute cert to the open file handle
677	Throws an exception if the cert isn't baked */
678	void write_cert(FILE *out) {
679	int rt= abac_attribute_write(m_attr,out);
680	if(!rt)
681	abac_errx(1, "write, cert is not baked");
682	}
683	/* Write the DER-encoded X.509 attribute cert to a file named out
684	Throws an exception if the cert isn't baked */
685	void write_cert(char *filename) {
686	FILE *out = fopen(filename, "w");
687	printf("writing to %s\n", filename);
688	write_cert(out);
689	printf("done writing to %s\n", filename);
690	fclose(out);
691	}
692	/* returns a DER-encoded binary representation of the X.509 attribute
693	cert associated with this cert
694	Throws an exception if the cert isn't baked
695	the chunk can be passed to libabac's Context::load_attribute_chunk() */
696	abac_chunk_t cert_chunk() {
697	return abac_attribute_cert_chunk(m_attr);
698	}
699	/* generate yap clauses and injected into db */
700	int consume() {
701	/* attribute needs to be baked */
702	if(!baked()) {
703	return ABAC_ATTRIBUTE_FAIL;
704	}
705	}
706	private:
707	abac_attribute_t *m_attr;
708	};
709
710
711	class Context {
712	public:
713	Context() { m_ctx = abac_context_new(); m_abac_version=strdup("1.0"); }
714	Context(const Context &context) {
715	m_ctx = abac_context_dup(context.m_ctx);
716	m_abac_version=strdup(context.m_abac_version);
717	}
718	~Context() {
719	abac_context_free(m_ctx);
720	if(m_abac_version) free(m_abac_version);
721	}
722
723	/* load an identity certificate, returns:
724	ABAC_CERT_SUCCESS successfully loaded
725	ABAC_CERT_INVALID invalid certificate (or file not found)
726	ABAC_CERT_BAD_SIG invalid signature */
727	void dump_yap() {
728	show_yap_db("dump_yap");
729	}
730	int load_id(ABAC::ID& id) {
731	return abac_context_load_id_id(m_ctx, id.id());
732	}
733	int load_id_file(char *filename) {
734	return abac_context_load_id_idkey_file(m_ctx, filename);
735	}
736	int load_id_file(char filename, char keyfilename) {
737	return abac_context_load_id_id_file_key_file(m_ctx, filename, keyfilename);
738	}
739	int load_id_chunk(abac_chunk_t cert) {
740	return abac_context_load_id_chunk(m_ctx, cert);
741	}
742	/* load an attribute certificate, returns the same values as above
743	* additionally can return ABAC_CERT_MISSING_ISSUER if the issuer
744	certificate has not been loaded */
745	int load_attribute(ABAC::Attribute& a) {
746	return abac_context_load_attribute_attribute(m_ctx, a.attribute());
747	}
748	int load_attribute_file(char *filename) {
749	return abac_context_load_attribute_file(m_ctx, filename);
750	}
751	int load_attribute_chunk(abac_chunk_t cert) {
752	return abac_context_load_attribute_chunk(m_ctx, cert);
753	}
754	/* load a directory full of certificates:
755	first: ${path}/*_ID.{der,pem} as identity certificates
756	then: ${path}/_attr.der as attribute certificates /
757	void load_directory(char *path) {
758	abac_context_load_directory(m_ctx, path);
759	}
760	/* run the query:
761	role <-?- principal
762	returns true/false in success
763	returns a proof upon success, partial proof on failure */
764	/* the string version is for query that is composed by hand with SHA or
765	in non ABAC_CN mode */
766	std::vector<Attribute> query(char role, char principal, bool &success) {
767	abac_credential_t creds, end;
768	int i, success_int;
769
770	creds = abac_context_query(m_ctx, role, principal, &success_int);
771	success = success_int;
772
773	for (i = 0; creds[i] != NULL; ++i)
774	;
775
776	end = &creds[i];
777	std::vector<Attribute> attributes = std::vector<Attribute>(creds, end);
778	if(debug) printf("query, got rules(%d)\n", i);
779
780	abac_context_credentials_free(creds);
781
782	return attributes;
783	}
784
785	/* another way */
786	std::vector<Attribute> query(Role &role, Role &p_role, bool &success) {
787	abac_credential_t creds, end;
788	int i, success_int;
789
790	creds = abac_context_query_with_structure(m_ctx, role.role(), p_role.role(), &success_int);
791	success = success_int;
792
793	for (i = 0; creds[i] != NULL; ++i)
794	;
795
796	end = &creds[i];
797	std::vector<Attribute> attributes = std::vector<Attribute>(creds, end);
798
799	abac_context_credentials_free(creds);
800
801	return attributes;
802	}
803
804	std::vector<Attribute> query(Oset &oset, Oset &p_oset, bool &success) {
805	abac_credential_t creds, end;
806	int i, success_int;
807
808	creds = abac_context_query_with_structure(m_ctx, oset.oset(), p_oset.oset(), &success_int);
809	success = success_int;
810
811	for (i = 0; creds[i] != NULL; ++i)
812	;
813
814	end = &creds[i];
815	std::vector<Attribute> attributes = std::vector<Attribute>(creds, end);
816	if(debug) printf("query, returning rules(%d)\n", i);
817
818	abac_context_credentials_free(creds);
819
820	return attributes;
821	}
822
823	/* returns a vector of all the credentials loaded in the context */
824	std::vector<Attribute> context_credentials(bool &success) {
825	abac_credential_t creds, end;
826	int i;
827	success = 1;
828
829	creds = abac_context_credentials(m_ctx);
830	for (i = 0; creds[i] != NULL; ++i)
831	;
832
833	end = &creds[i];
834	std::vector<Attribute> attributes = std::vector<Attribute>(creds, end);
835	if(debug) printf("credentials, got (%d)\n", i);
836
837	abac_context_credentials_free(creds);
838	if(debug) show_yap_db("calling from context_credentials");
839	return attributes;
840	}
841
842	/* returns a vector of all the principals loaded in the context */
843	std::vector<ID> context_principals(bool &success) {
844	abac_id_credential_t ids, end;
845	int i;
846	success = 1;
847
848	ids = abac_context_principals(m_ctx);
849	for (i = 0; ids[i] != NULL; ++i)
850	;
851
852	end = &ids[i];
853	std::vector<ID> principals = std::vector<ID>(ids, end);
854	if(debug) printf("principals, got (%d)\n", i);
855
856	abac_context_principals_free(ids);
857	return principals;
858	}
859
860	char *version() const { return m_abac_version; }
861
862	private:
863	abac_context_t *m_ctx;
864	char *m_abac_version;
865	};
866
867	Constraint::Constraint(Role& role)
868	{ m_constraint=abac_condition_create_from_aspect(role.role()); }
869	Constraint::Constraint(Oset &oset)
870	{ m_constraint=abac_condition_create_from_aspect(oset.oset()); }
871	}
872
873	#endif /* __ABAC_HH__ */

Note: See TracBrowser for help on using the repository browser.

Download in other formats: